When two parties communicate, they often need to protect both the privacy and the authenticity of the transmitted data. Protecting the privacy of the data ensures that unauthorized parties will not understand the content of transmissions. Protecting the authenticity of the data provides assurance to the receiving party that the actual sender of a message coincides with the claimed sender of the message. It thereby provides assurance to the receiver that the message was not accidentally or intentionally modified in transit.
In an authenticated-encryption method, the sender encrypts a message using a key and a nonce (also called an initialization vector, or IV) to yield a ciphertext. The receiver decrypts the ciphertext using a key and a nonce to yield either a message or a special symbol for invalid that indicates to the receiver that the ciphertext should be regarded as inauthentic.
Privacy-only encryption computes a ciphertext from a plaintext, a key, and a nonce. A message authentication code (MAC) computes an authentication tag from a message and a key. To MAC a message means to compute its authentication tag using a message authentication code.
By way of further background, the advanced encryption standard (AES) block cipher algorithm, or AES cipher, is an iterative cipher algorithm, meaning the data is similarly manipulated a predetermined number of rounds. The block length is fixed to 128 bits and the key length may be independently set to 128, 192 or 256 bits. The AES cipher also allows for a variable number of rounds (Nr), the total of which may be 10, 12 or 14, and which depend on the block length and key length.
The AES cipher encrypts a block of data by performing 9, 11 or 13 complete round transformations followed by a final incomplete round transformation. The incomplete round transformation includes one less step than a complete round transformation. The data string that is operated upon during each round is called a “State,” which may be represented as a rectangular array of bytes having four rows and a number of columns (Nb) that varies with the block length. Specifically, the value of Nb is equal to the block length (i.e., 128, 192 or 256) divided by 32, meaning it has a value of either 4, 6 or 8. Each of the complete rounds includes the following four transformations, performed in the following order: (1) ByteSub; (2) ShiftRow; (3) MixColumn; and (4) AddRoundKey. The incomplete round transformation does not include the MixColumn transformation.
Similar to encryption, the AES cipher decrypts data by performing the same number of complete rounds followed by an incomplete round. Because the encryption transformations are invertible, the State of each decryption round is operated on by the inverse of the above-noted transformations. Moreover, the properties of the transformations and inverse transformations allow for symmetry in the encryption and decryption algorithms. In other words, each complete decryption round includes the following inverse transformations, which may be performed in the listed order (1) InvByteSub; (2) InvShiftRow; (3) InvMixColumn; and (4) InvAddRoundKey. Again, similar to encryption, the incomplete decryption round transformation does not include the InvMixColumn transformation.
Greater detail of the AES cipher may be found in a Federal Information Processing Standards Publication (FIPS-PUBS) issued by the National Institute of Standards and Technology (NIST). The publication is the Advanced Encryption Standard (AES), dated Nov. 26, 2001, and may be obtained electronically at http://csrc.nist.gov/publications/. This publication is incorporated herein, in its entirety, by reference.
The AES cipher supports different operation modes, including cipher block chaining (CBC), electronic codebook (ECB) and Galois counter mode (GCM). The GCM is a block cipher mode of operation that uses hashing over a binary Galois field to provide authenticated encryption. The detailed document titled “The Galois/Counter Mode of Operation (GCM)” may be found at csrc.nist.gov/CryptoToolkit/modes/proposedmodes/gcm/gcm-spec.pdf. This publication is also incorporated herein, by reference, in its entirety.
A conventional GCM-AES block cipher system includes encryption performed during 10, 12 or 14 rounds using round keys. A hash key is calculated from the round keys to provide authenticated encryption for every frame or packet that is transmitted to a remote receiver. This requires 10, 12 or 14 clock cycles for every frame or packet that is transmitted by the sender. Similarly, during decryption, the receiver requires 10, 12 or 14 clock cycles to calculate the hash key from the round keys for every frame or packet. This disadvantageously results in increased throughput and delay by the processor in authenticating the respective frame or packet. The present invention addresses and, as one of its features, solves this deficiency.